CanaRy

Problem

This time we added a canary to detect buffer overflows. Can you still find a way to retreive the flag from this program located in /problems/canary_2_dffbf795b4788666d54a993a5e41d145. Source.

Solution

BUF_SIZE is 32 bytes so offset by 'a'*32 since canary will be next in stack
Leak the canary by running the break-canary.py file on the shell server
Paste Canary into bruteforce-pie.py on line 13
Offset after canary determined using cyclic(24) and cyclic_find() with python2 -c "from pwn import *; print 'a'*32 + 'ex;Y' + cyclic(100)" | ./vuln locally to get offset as 'a'*16.
Last 1.5 bytes of display_flag function determined with readelf -s vuln
First byte found with gdb by placing a breakpoint at vuln and running which got Breakpoint 1, 0x56622a14 in main () and more importantly the first byte 0x56
Loops in hex are used to bruteforce every possible value for the remaining 1.5 bytes and p32 from pwntools is used to convert to little endian
Run bruteforce-pie.py on shell server by pasting bruteforce_pie function (after running from pwn import *) into python terminal and then running print bruteforce_pie()
Flag will appear in a few minutes
If the flag doesn't appear after running the program then run it again and it will work (the program doesn't check addresses with zeros in them)

Flag

picoCTF{cAnAr135_mU5t_b3_r4nd0m!_1df5fde9}

PreviousOverFlow 2 NextNewOverFlow-1

Last updated 3 years ago

Was this helpful?

CanaRy

Problem

This time we added a canary to detect buffer overflows. Can you still find a way to retreive the flag from this program located in /problems/canary_2_dffbf795b4788666d54a993a5e41d145. Source.

Solution

BUF_SIZE is 32 bytes so offset by 'a'*32 since canary will be next in stack
Leak the canary by running the break-canary.py file on the shell server
Paste Canary into bruteforce-pie.py on line 13
Offset after canary determined using cyclic(24) and cyclic_find() with python2 -c "from pwn import *; print 'a'*32 + 'ex;Y' + cyclic(100)" | ./vuln locally to get offset as 'a'*16.
Last 1.5 bytes of display_flag function determined with readelf -s vuln
First byte found with gdb by placing a breakpoint at vuln and running which got Breakpoint 1, 0x56622a14 in main () and more importantly the first byte 0x56
Loops in hex are used to bruteforce every possible value for the remaining 1.5 bytes and p32 from pwntools is used to convert to little endian
Run bruteforce-pie.py on shell server by pasting bruteforce_pie function (after running from pwn import *) into python terminal and then running print bruteforce_pie()
Flag will appear in a few minutes
If the flag doesn't appear after running the program then run it again and it will work (the program doesn't check addresses with zeros in them)

Flag

picoCTF{cAnAr135_mU5t_b3_r4nd0m!_1df5fde9}

PreviousOverFlow 2 NextNewOverFlow-1

Last updated 3 years ago

Was this helpful?